1 / 48

Cryptography Overview

CS155. Cryptography Overview. Cryptography. Is A tremendous tool The basis for many security mechanisms Is not The solution to all security problems Reliable unless implemented properly Reliable unless used properly Something you should try to invent or implement yourself.

eitan
Download Presentation

Cryptography Overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CS155 Cryptography Overview

  2. Cryptography • Is • A tremendous tool • The basis for many security mechanisms • Is not • The solution to all security problems • Reliable unless implemented properly • Reliable unless used properly • Something you should try to invent or implement yourself

  3. Auguste Kerckhoffs • A cryptosystem should be secure even if everything about the system, except the secret key, is public knowledge. baptised as Jean-Guillaume-Hubert-Victor-François- Alexandre-Auguste Kerckhoffs von Nieuwenhof

  4. Goal 1:secure communication Step 1: Session setup to exchange key Step 2: encrypt data HTTPS

  5. Goal 2: Protected files Disk File 1 Alice Alice No eavesdropping No tampering File 2 Analogous to secure communication: Alice today sends a message to Alice tomorrow

  6. Symmetric Cryptography Assumes parties already share a secret key

  7. Building block: sym. encryption nonce Alice Bob E, D: cipher k: secret key (e.g. 128 bits) m, c: plaintext, ciphertext n: nonce (aka IV) Encryption algorithm is publicly known • Never use a proprietary cipher m, n D(k,c,n)=m E c, n D E(k,m,n)=c k k

  8. Use Cases Single use key: (one time key) • Key is only used to encrypt one message • encrypted email: new key generated for every email • No need for nonce (set to 0) Multi use key: (many time key) • Key used to encrypt multiple messages • SSL: same key used to encrypt many packets • Need either unique nonce or random nonce

  9. 0 1 1 1 1 0 0 0 0 1 0 1 0 1 1 1 0 1 0 1 1 0 0 0 0 1 1 0 0 0 First example: One Time Pad (single use key) • Vernam (1917) • Shannon ‘49: • OTP is “secure” against ciphertext-only attacks Key:  Plaintext: Ciphertext:

  10. Stream ciphers (single use key) Problem: OTP key is as long the message Solution: Pseudo random key -- stream ciphers Stream ciphers: RC4 (126 MB/sec) , Salsa20/12 (643 MB/sec) key c  PRG(k)  m PRG  message ciphertext

  11. One time key !! “Two time pad” is insecure: C1 m1  PRG(k) C2 m2  PRG(k) Eavesdropper does: C1  C2  m1  m2 Enough redundant information in English that: m1  m2  m1 , m2 Dangers in using stream ciphers

  12. Block ciphers: crypto work horse n Bits n Bits E, D PT Block CT Block Key k Bits • Canonical examples: • 3DES: n= 64 bits, k = 168 bits • AES: n=128 bits, k = 128, 192, 256 bits • IV handled as part of PT block

  13. mL mR mR  mLF(k,mR) Building a block cipher Input: (m, k) Repeat simple “mixing” operation several times  DES: Repeat 16 times:  AES-128: Mixing step repeated 10 times Difficult to design: must resist subtle attacks  differential attacks, linear attacks, brute-force, …

  14. Block Ciphers Built by Iteration key k R(k,m): round function for DES (n=16), for AES (n=10) key expansion k1 k2 k3 kn m c R(k1, ) R(k2, ) R(k3, ) R(kn, )

  15. Incorrect use of block ciphers Electronic Code Book (ECB): Problem: • if m1=m2 then c1=c2 PT: m1 m2 c2 c1 CT:

  16. In pictures

  17. Correct use of block ciphers I: CBC mode E a secure PRP. Cipher Block Chaining with random IV: IV m[0] m[1] m[2] m[3]     E(k,) E(k,) E(k,) E(k,) IV c[0] c[1] c[2] c[3] ciphertext Q: how to do decryption?

  18. Use cases: how to choose an IV Single use key: no IV needed (IV=0) Multi use key: (CPA Security) Best: use a fresh random IV for every message Can use unique IV (e.g counter) but then first step in CBC must beIV’  E(k1,IV) benefit: may save transmitting IV with ciphertext

  19. CBC with Unique IVs unique IV means: (k,IV) pair is used for only one message may be predictable so use E(k1,) as PRF IV m[0] m[1] m[2] m[3] IV′     E(k1,) E(k,) E(k,) E(k,) E(k,) IV c[0] c[1] c[2] c[3] ciphertext

  20. In pictures

  21. Correct use of block ciphers II: CTR mode Counter mode with a random IV: (parallel encryption) IV m[0] m[1] … m[L]  E(k,IV) E(k,IV+1) … E(k,IV+L) IV c[0] c[1] … c[L] ciphertext • Why are these modes secure? not today.

  22. Performance: Crypto++ 5.6.0 [ Wei Dai ] Intel Core 2 (on Windows Vista) CipherBlock/key sizeSpeed (MB/sec) RC4 126 Salsa20/12643 3DES 64/168 10 AES/GCM 128/128 102

  23. Data integrity

  24. Verify tag: V(k, m, tag) = `yes’ ? Message Integrity: MACs • Goal: message integrity. No confidentiality. • ex: Protecting public binaries on disk. k k Message m tag Alice Bob Generate tag: tag  S(k, m) note: non-keyed checksum (CRC) is an insecure MAC !!

  25. Secure MACs • Attacker information: chosen message attack • for m1,m2,…,mq attacker is given ti S(k,mi) • Attacker’s goal: existential forgery. • produce some new valid message/tag pair (m,t). (m,t)  { (m1,t1) , … , (mq,tq) } • A secure PRF gives a secure MAC: • S(k,m) = F(k,m) • V(k,m,t): `yes’ if t = F(k,m) and `no’ otherwise.

  26. Construction 1: ECBC m[0] m[1] m[2] m[3]    E(k,) E(k,) E(k,) E(k,) Raw CBC E(k1,) tag key = (k, k1)

  27. Construction 2: HMAC (Hash-MAC) Most widely used MAC on the Internet. H: hash function. example: SHA-256 ; output is 256 bits Building a MAC out of a hash function: Standardized method: HMAC S( k, m ) = H( kopad || H( kipad || m ))

  28. SHA-256: Merkle-Damgard h(t, m[i]): compression function Thm 1: if h is collision resistant then so is H “Thm 2”: if h is a PRF then HMAC is a PRF m[0] m[1] m[2] m[3] h h h h H(m) IV

  29. P(k,3) P(k,1) P(k,0) P(k,2) Construction 3: PMAC – parallel MAC ECBC and HMAC are sequential. PMAC: m[0] m[1] m[2] m[3]     F(k,) F(k,) F(k,) F(k,)  F(k1,) tag

  30. Why are these MAC constructions secure? … not today – take CS255 • Why the last encryption step in ECBC? • CBC (aka Raw-CBC) is not a secure MAC: • Given tag on a message m, attacker can deduce tag for some other message m’ • How: good crypto exercise…

  31. Authenticated Encryption: Encryption + MAC

  32. Combining MAC and ENC (CCA) Encryption key KE MAC key = KI Option 1: MAC-then-Encrypt (SSL) Option 2: Encrypt-then-MAC (IPsec) Option 3: Encrypt-and-MAC (SSH) MAC(M,KI) Enc KE Msg M Msg M MAC MAC(C, KI) Enc KE Secure on general grounds MAC Msg M MAC(M, KI) Enc KE MAC Msg M

  33. P(N,k,1) P(N,k,0) P(N,k,3) P(N,k,2) P(N,k,1) P(N,k,0) P(N,k,3) P(N,k,2) P(N,k,0) auth OCB offset codebook mode More efficient authenticated encryption m[0] m[1] m[2] m[3] checksum      E(k,) E(k,) E(k,) E(k,) E(k,)      c[0] c[1] c[2] c[3] c[4] Rogaway, …

  34. Public-key Cryptography

  35. Public key encryption: (Gen, E, D) Gen pk sk E D m c c m

  36. Applications Session setup (for now, only eavesdropping security) Non-interactive applications: (e.g. Email) • Bob sends email to Alice encrypted using pkalice • Note: Bob needs pkalice(public key management) pk E(pk, x) Bob Alice Generate (pk, sk) choose random x (e.g. 48 bytes) x

  37. Applications Encryption in non-interactive settings: • Encrypted File Systems read Alice write skA E(pkA, KF) Bob E(kF, File) E(pkB, KF) File

  38. Applications Encryption in non-interactive settings: • Key escrow: data recovery without Bob’s key Escrow Service write skescrow E(pkescrow, KF) Bob E(kF, File) E(pkB, KF)

  39. Trapdoor functions (TDF) Def: a trapdoor func. X⟶Y is a triple of efficient algs. (G, F, F-1) • G(): randomized alg. outputs key pair (pk, sk) • F(pk,⋅): det. alg. that defines a func. X ⟶ Y • F-1(sk,⋅): defines a func. Y ⟶ X that inverts F(pk,⋅) Security: F(pk,⋅) is one-way without sk

  40. Public-key encryption from TDFs • (G, F, F-1): secure TDF X ⟶ Y • (Es, Ds) : symm. auth. encryption with keys in K • H: X ⟶ K a hash function We construct a pub-key enc. system (G, E, D): Key generation G: same as G for TDF

  41. Public-key encryption from TDFs • (G, F, F-1): secure TDF X ⟶ Y • (Es, Ds) : symm. auth. encryption with keys in K • H: X ⟶ K a hash function E( pk, m): x ⟵ X, y ⟵ F(pk, x) k ⟵ H(x), c ⟵ Es(k, m) output (y, c) D(sk, (y,c) ): x ⟵ F-1(sk, y), k ⟵ H(x), m ⟵ Ds(k, c) output m R

  42. F(pk, x) Es( H(x), m ) In pictures: Security Theorem: If (G, F, F-1) is a secure TDF, (Es, Ds) provides auth. enc. and H: X ⟶ K is a “random oracle” then (G,E,D) is CCAro secure. header body

  43. Digital Signatures • Public-key encryption • Alice publishes encryption key • Anyone can send encrypted message • Only Alice can decrypt messages with this key • Digital signature scheme • Alice publishes key for verifying signatures • Anyone can check a message signed by Alice • Only Alice can send signed messages

  44. Digital Signatures from TDPs • (G, F, F-1): secure TDP X ⟶ X • H: M ⟶ X a hash function Security: existential unforgeability under a chosen message attack in the random oracle model Verify(pk, m, sig): output 1 if H(m) = F(pk, sig) 0 otherwise Sign(sk, m∈X): output sig = F-1(sk, H(m) )

  45. Public-Key Infrastructure (PKI) • Anyone can send Bob a secret message • Provided they know Bob’s public key • How do we know a key belongs to Bob? • If imposter substitutes another key, can read Bob’s mail • One solution: PKI • Trusted root Certificate Authority (e.g. Symantec) • Everyone must know the verification key of root CA • Check your browser; there are hundreds!! • Root authority signs intermediate CA • Results in a certificate chain

  46. Back to SSL/TLS Version, Crypto choice, nonce S C Version, Choice, nonce, Signed certificate containing server’s public key Ks Secret key K encrypted with server’s key Ks switch to negotiated cipher Hash of sequence of messages Hash of sequence of messages data transmission

  47. Limitations of cryptography • Most security problems are not crypto problems • This is good: cryptography works! • This is bad • People make other mistakes; crypto doesn’t solve them • Misuse of cryptography is fatal for security • WEP – ineffective, highly embarrassing for industry • Occasional unexpected attacks on systems subjected to serious review

More Related